Malicious RTF — malware analysis report

Static analysis result for SHA-256 4bfb8ce2f444e5c8…

MALICIOUS

RTF

1.80 MB First seen: 2024-08-17
MD5: 13bd261d520bb421a7c6e825c511b482 SHA-1: 0e90154bbd896f995d1cabfbee8845e52385c8ec SHA-256: 4bfb8ce2f444e5c84b8fed392ffd18f0cc649ab3e2c8aea9423f59f45c104d95
466 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The RTF document contains multiple high-severity heuristics indicating social engineering lures, including impersonating DocuSign, creating urgency, and instructing the user to handle password-protected archives. Crucially, it embeds a secondary PDF file which itself contains critical findings related to JavaScript exploits and XFA forms. This suggests the RTF is a dropper for a malicious PDF designed to exploit vulnerabilities via JavaScript.

Heuristics 15

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gwg.org/ns/gwg_preflight_v1/preflight_resultsprofile_name%PROFILE%profile_creator%PROFILE_CREATOR%profile_creator_version%PC_VERSION%Errors%ID%%INFO%PDF/E-1:2008PDF/A-1aPDF/A-1b:2005PDF/A-1a:2005PDF/A-1b:2005PDF/A-2aPDF/A-2bPDF/A-2u:2010PDF/A-2APDF/A-2a:2010PDF/A-2BPDF/A-2b:2010PDF/A-2UPDF/A-2u:2010PDF/A-3aPDF/A-3bPDF/A-3u:2012PDF/A-3APDF/A-3a:2012PDF/A-3BPDF/A-3b:2012PDF/A-3UPDF/A-3u:2012PDF/X-4PDF/X-4p:2008PDF/X-4:2008PDF/X-4p:2008PDF/X-4:2010PDF/X-4p:2010PDF/X-5gPDF/X-5pgPDF/X-5nPDF/X-5g:2008PDF/X-5pg:2008PDF/X-5n:2008PDF/X-5g:2010PDF/X-5pg:2010PDF/X-5n:2010PDF/VT-1PDF/VT-2PDF/VT-2sPDF/UA-1:2012%ISO%%TRAPPED%PDFStandardsDocDidCloseShimA12_NavpaneStandards.pdfStructElementListBookmarkNameprintTransfersprintSetPageSizeprintUCRBGApplySoftProofprintAutoRotateprintWhatPDFormsAsPSFormstrapAnnotsMaxJP2KResEmitFlatnessTrueTypeAsT2printReversePagesPrintSaveTonerprintScalingDestProfileSelectorprintNupNumPagesHprintNupNumPagesVprintNupOrderingprintNupBorderprintNupRotateprintBookletBindingprintBookletDuplexModeprintBookletSubsetFromprintBookletSubsetToRasFlagsConvertTextToOutlinesConvertStrokesToOutlinesClipComplexPresOverprintTransparencyLevelprintDPIprintGradDPIPAIResPresetNameLeaveAsIsDestinationFilePDF
    • https://geo2.adobe.comAVUtilWriteDebugLogEnabled
    • https://acrobat.adobe.comdc-prod-virgowebAdobeID,openid,DCAPI,additional_info.account_type,additional_info.optionalAgreements,agreement_sign,agreement_send,sign_library_write,sign_user_read,sign_user_write,agreement_read,agreement_write,widget_read,widget_write,workflow_read,workflow_write,sign_library_read,sign_user_login,sao.ACOM_ESIGN_TRIAL,ee.dcweb,tk_platform,tk_platform_sync,ab.manage,update_profile.first_name,update_profile.last_namehttps://stage.acrobat.adobe.comdc-stage-virgowebtokendocuments/agreements/?filter_panel=paymentinfohttps://new.express.adobe.com/?category=documentprojectx_webapphttps://stage.projectx.corp.adobe.com/?category=documentIsB2BTrialDisabledacrobat_dchttps://commerce.adobe.com/store/change-plan/team-upgrade/plans?StageRedirectionhttps://commerce-stg.adobe.com/store/change-plan/team-upgrade/plans?co=&lang=&cli=AEAMARATAZBEBHBOBYCHCLCYCZDEDKDODZECEEEGESFIFRGBGEGRGTHKHRHUIEILJOJPKEKGKRKWKZLBLKLTLVMDMOMTMUMXMYNGNLNZOMPEPHPLPTPYQARORUSGSISKSVTJTTTWUAUYUZVNZAenfrdeesjakoruitnlzh-hantpltrsvdanbcsfiukFRAPTGRUSITANLDPOLSVEDANNORCZESUOUKRPTB1
    • http://bEnableLoggingpasswordAESV1CheckkESReportSrcURLKeykESReportInURLKeykESReportURLTrustKeykESReportCrossdomainKeykESReportDataInjectionKeykESReportScriptInjectionkESReportAuxDownloadMessageInternetAccess_TrustManagerCPID_AVcr_000000DisableTrustedSitesEnhanced
    • https://teams.microsoft.comhttps://web.whatsapp.com/send?text=https://teams.microsoft.com/share?href=https://mail.google.com/mail/?view=cm&fs=1&tf=1&su=https://outlook.office.com/mail/deeplink/compose?mailtouri=WhatsappGmailOutlook&msgText=&body=mailto:?subject=3PappTypeNativeOutlook:SafariMode:Browser_Open_failControllerRevised_SSRevised_SS_ACPRevised_SS_SCUnifiedSharesheetButtonFetchLinkInviteBoxSharesheetInvitehashed_device_idtarget_remember_melast_namecascadingbearer_tokentarget_client_idtarget_redirect_uritarget_scopepbadt_formatPropertyButton_IdleProc_DisableIdle_Proc_Disabled/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVPropertyButtonView.cppPropertyButtonUpdateIdleProcPropertyButton_IdleProc_EnableIdle_Proc_EnabledAVPropertyButtonViewAVPopupAnnotScrollViewAVNoteCloseBoxViewA12_AV2_CheckMarkIcon.pdfA12_CloseCommentPopUp.pdfAVNoteButtonViewAVNoteStaticTextViewAV2NoteReplyViewAVNoteReplyView
    • https://AV2::EchoSign::UpdateProgressBarDelayProcAcrobat2019DeepLinkNo
    • http://acroipm2.adobe.comBaseURL2https://acroipm2.adobe.comUnknownDisplayLocationToastSharePaneFormCentralSignPaneBH_Descritpion_DialogSendMail_DialogRecentFileEveryWhereEPDF_RHPCPDF_RHPRHP_NOTIFICATION_BOTTOMRNA_Offline_LocationRNA_HomeView_LocationUpsell_DialogFirstTimeExperienceReaderEditCombineSignInReducedModeCardTrialExpiredReducedModeCardSubExpiredLastDisplayLocationNo
    • https://app.box.comhttps://www.dropbox.comhttps://login.microsoftonline.com/common/oauth2/authorizehttps://login.live.com/oauth20_authorize.srfhttps://accounts.google.comcodeerrorerror_descriptionerror_urierrorcodeoauthaccesstokenverbcode_verifierclient_secretgrant_typeresponsebodyaccess_typetoken_access_typeskipAuthStepresponseURLaccesstokenURLuser=auth=Bearer
    • https://ims-na1.adobelogin.comClientIDClientSecretb1c3fc35-5903-47d9-8f75-29eca4bab54aa7f036b4-792e-4653-a504-470c80315d18[created_at]devicedevice_iddevice_namelocale=googlefacebookprovider_idsocial.deep_link.desktop/darq/delegation/browser/v1/urls?AdobeID
    • https://delegated-stg1.adobelogin.comhttps://delegated.adobelogin.comAcrobat_Browser_SS02Acrobat_Browser_SS05c7a67312-9240-4203-a0a3-50991b2bfe43f1f22dfa-3c66-4a15-ac51-cf00d96d1bb4s8e-xT0h0MkWAHcvq9NZgWNV2nPMEepiswgFp8e-pkiM-Imdfx3zPqiBaOXh5w2OQsShNWelAcrobatFeat9cb071ba7-6ab6-411f-9557-e22c4dff487e8f106bc3-341d-48af-81c1-71f8f40b61b4%d.%d.%02dToolbar_BHA12_AV2_CloudConnectionChangesUnsaved_18px.pdfA12_AV2_CloudUpload_18px.pdf%00%01%02%03%04%05%06%07%08%09%0A%0B%0C%0D%0E%0F%10%11%12%13%14%15%16%17%18%19%1A%1B%1C%1D%1E%1F%20%22$%25%3C%3E%5C%5E%60%7B%7C%7D%7F%80%81%82%83%84%85%86%87%88%89%8A%8B%8C%8D%8E%8F%90%91%92%93%94%95%96%97%98%99%9A%9B%9C%9D%9E%9F%A0%A1%A2%A3%A4%A5%A6%A7%A8%A9%AA%AB%AC%AD%AE%AF%B0%B1%B2%B3%B4%B5%B6%B7%B8%B9%BA%BB%BC%BD%BE%BF%C0%C1%C2%C3%C4%C5%C6%C7%C8%C9%CA%CB%CC%CD%CE%CF%D0%D1%D2%D3%D4%D5%D6%D7%D8%D9%DA%DB%DC%DD%DE%DF%E0%E1%E2%E3%E4%E5%E6%E7%E8%E9%EA%EB%EC%ED%EE%EF%F0%F1%F2%F3%F4%F5%F6%F7%F8%F9%FA%FB%FC%FD%FE%FF%21%23%24%26%27%28%29%2A%2B%2C%2F%3A%3B%3D%3F%40%5BAPIEndPointUrlMasterURLhttps://files.acrobat.com/apiAiCBaseURLhttps://createpdf.acrobat.comIsSharedDevice[api]api[ims]ims[cloud_do_not_use]cloud_do_not_use[download]download[rendition]rendition[upload]upload[prefs]prefs[users]users[send_api]send_api[ui_helpers]ui_helpers[commenting_uri]/base_uris?force=truex-request-idConversion
    • https://ims-prod06.adobelogin.comHandling
    • https://acrobatoauth.adobe.comAdobeID
    • https://ims-na1-stg1.adobelogin.comConnectionCache-Controlgrant_type=password&username=&password=GetRefreshTokenUsingPasswordGrant_InternaldoSimpleRequest
    • https://lcs-cops-dev.adobe.iohttps://lcs-cops-stage.adobe.iohttps://lcs-cops.adobe.iohttps://lcs-robs-dev.adobe.iohttps://lcs-robs-stage.adobe.iohttps://lcs-robs.adobe.iohttps://lcs-ulecs-dev.adobe.iohttps://lcs-ulecs-stage.adobe.iohttps://lcs-ulecs.adobe.iohttps://resources-dev.licenses.adobe.comhttps://resources-stage.licenses.adobe.comhttps://cc-api-data-stage.adobe.io/ingesthttps://cc-api-data.adobe.io/ingest.dev.frl-offline.adobe.com.stage.frl-offline.adobe.com.frl-offline.adobe.comCOPWebAPIConnectorsetSelectedFilessetOpenPlatformDialogsetFileAncestorsgetFileAncestorscancelDialogisSettingsButtonVisiblesettingsButtonExecuteisViewResultVisiblegetViewResultInitialStaterestrictEditingChangednonDefaultRecentselectedFileObjectssaveAsParentFolderObjectHangCollectionHungSessionIdHangTypeHangUUIDHangStackAppActiveHangStackisMainThreadHangcom.adobe.SessionHangStatusAbonrmalSessionsPrevSessionHangfileSelectDatabytesReadstreamStatechunkArrayreadChunksclearChunks==AVGetAttachmentListAVGetAttachmentListRowCountOpenAttachmentFromUIAVGetPortfolioAttachmentListAVGetPortfolioAttachmentListRowCountOpenPortfolioAttachmentFromUIPreviewPortfolioAttachmentSplitPortfolioViewGetPortfolioViewSplitGetPortFolioViewTypeSetPortFolioViewTypeGetPortfolioPreviewParametersAVGetFileAttachmentCountAVSelectFileAttachmentAVDeleteSelectedFileAttachmentAttachmentRowCountfileIndexPortfolioSplitTypeHORIZONTALVERTICALNOSPLITPortfolioViewTypeDETAILSLAYOUTIsPortfolioInPreviewModePreviewFileNameIsPreviewSuccessfulIsPortfolioInCoverSheetModeFILE_stopwords.ToolsSearchUpdateIdVersionLoVersionHiRegisteredAppsTextToImageAppNewSearchHintIndexTCSearchHintIndexMEAMEHNAFToolsSearchCacheRdrToolsSearchCacheAcrosKeywordAVToolsSearchResultsToolsSearch::PerformSearchToolsSearch::PerformSearchAndGetDescriptionSkipAutoUpdateInstallFailureAlertViewDownloadManuallyCTASpellingDictsRedirectToWebA12_AcrobatUpgradeWithSpinner_20fps_01_Dyn.pdfA12_AcrobatUpgradeWithSpinner_20fps_02_Dyn.pdfA12_AcrobatUpgradeWithSpinner_20fps_03_Dyn.pdfA12_AcrobatUpgradeWithSpinner_20fps_04_Dyn.pdfA12_A
    • https://files.acrobat.comPENDINGFAILEDitemsparcel_idmodify_datecreate_datelast_access_dateuser_last_access_datefavoriteasset_listasset_nameFILEasset_idmessageownership_typessenderuser_idparticipant_listemailparticipant_idopened_stateopenednot_openedinvitation_idtotal_hitsstatus_codeerrorsresult_setsSendTrackWorkflowService::RedirectSignedUrlSendTrackWorkflowService::DownloadAndOpenFileSend
    • https://resources.licenses.adobe.comhttps://s3.amazonaws.comhttps://ffc-icons.oobesaas.adobe.comhttps://cdn-ffc.oobesaas.adobe.comhttps://acc.adobeoobe.comhttps://ardownload2.adobe.comhttps://agsupdate.adobe.comhttps://genuine.adobe.comhttps://prod.adobegenuine.comhttps://na1e.services.adobe.comhttps://aps.adobe.comhttps://www.acrobat.comProcessing
    • https://api.echosign.comQkBJR01ERElISEpNQVg3dFxWIlxwZUJUX1VOKyRfTBRrT2BGYE1iRnxeYUstYEhvbh9rUVtSQ1Z6f1JRUkYPBTUAdA88Ci4OGi4nBDlOApiKeySecretHostURLTOBURLRengaURLUseRengaAuthAcrobat.com.v2Acrobat.com.v2/SecretSyncApiKeySyncSecretAcRdApiKeyAcRdhttps://api2.acrobat.comhttps://v4.services.acrobat.com/https://v3.services.acrobat.com/https://api2.acrobat.com/webservicesbmkzNDZEcnp7WmdFZ35mRntQQnZ8RxdIU3teeW5PaFVJQE9DcG8fYWNbXkRsLg==a01HTX9LM0E9RXt4eEZJZyF+JGdUYRdOTWp0V1FVbFZlbEBJQlB0TVB+fn5KLg==MmFmPTY+Mj4wM2g4azc3KXNwK3Ihcicrfyt/LComekIhR0YXE0ARSUwYGx5LSxsEAAJXAgxSVAoKX1pZBVpdeSNCOGQyNzNnZTpsPDxqO2s3dnd2ISUicHN+L3t4K3svJ0IhQBUcQEJDHBscEx4UFk4BAQtQA1QDVFoLDwgIDwtdIndChttps://api.share.acrobat.com/webservices/api/v1/https://api.share.acrobat.comhttps://tob.acrobat.com/TOB/auth/account/wsapi/auth/v1full
    • HTTP://HTTPS://&autoPlay=BoundingBoxTransparentBoundingBoxTransparentBoundingBoxOutlineShadedVerticesShadedWireframeSolidSolidWireframeTransparentWireframeIllustrationSolidOutlineShadedIllustrationHiddenWireframevolume=3ds3dxmlsatsabiptiamcadds_pdpdmodeldlvsessioncatproductcatpartcgrdaemf1arcunvpkgifcigesigsjtxv3xv0prtsdpsdpcsdwsdasdsbdlsessdacsdscsdwcx_tx_bprdxprasmxasneuparpwdpsmsldasmsldprtstepstpstlvrmlwrlaacaifaiffaulqtm3um4amidmidimndmp2mpamperaramrmrmsrmvbrmxrprtsmismilsndwavwaxwmwma3gppasfdvm1vmpegmpeg4mpgmpg4qtrmiwmvwmxlinespacingfontStretchendParagraphacrobatmarkupFixedPrintspanbrstylehttp://www.w3.org/1999/xhtmlbhttp://www.w3.org/1999/xhtmlihttp://www.w3.org/1999/xhtmlspanhttp://www.w3.org/1999/xhtmlphttp://www.w3.org/1999/xhtmlbodyhttp://www.w3.org/1999/xhtmlbrhttp://www.xfa.org/schema/xfa-data/1.0/APIVersiondoublewordline-throughfont-variantsmall-capsfont-stretchfont100200300400500600700800900xfa-spacerunAcroform:Acrobat:double
    • https://m.bugs.corp.adobe.com/dcissues/discardchangesreportAVPreReleaseFeedback::GetEmailDatafeatureIdLayoutSelectionServerObjectSelectionServerTextSelectionServerTouchUpHighlightContentServerFieldGlobalSigInfoUtilWebLink.acroplugincom.adobe.acrobat.plugin.weblinkPDDom.acroplugincom.adobe.acrobat.plugin.pddomMultimedia.acroplugincom.adobe.acrobat.plugin.multimediaSearch.acropluginADBE_Searchcom.adobe.acrobat.plugin.searcheBook.acroplugineBookcom.adobe.acrobat.plugin.ebookSpelling.acroplugincom.adobe.acrobat.plugin.spellingAcroForm.acroplugincom.adobe.acrobat.plugin.acroformDigSig.acropluginDIGSIGcom.adobe.acrobat.plugin.digsigPPKLite.acropluginppklitecom.adobe.acrobat.plugin.ppkliteDropboxStorage.acropluginDropboxStoragecom.adobe.acrobat.plugin.dropboxstorageDVA.acropluginADBE:DictionaryValidationAgentcom.adobe.acrobat.plugin.dvaReadOutLoud.acropluginReadOutLoudcom.adobe.acrobat.plugin.readoutloudADBE:MSRMScom.adobe.acrobat.plugin.msrmsSendMail.acroplugincom.adobe.acrobat.plugin.sendmailEFS.acroplugincom.adobe.acrobat.plugin.efsUpdater.acroplugincom.adobe.acrobat.plugin.updaterMakeAccessible.acropluginMake
    • https://acrobat.adobe.com/link/https://stage.acrobat.adobe.com/link/webformsendinbulklegaltemplates/?client=desktopsignatures/?signUri=%2Faccount%2FaccountSettingsPage%23pageId%3A%3AACCOUNT_SETUPsignatures/?signUri=%2Faccount%2FaccountSettingsPage%23pageId%3A%3APAYMENT_INTEGRATIONsignatures/?signUri=%2Faccount%2FaccountSettingsPage%23pageId%3A%3ASIGNATURE_PREFERENCEShomeBraintreeSupportedCountriesAD,AT,AU,BE,BG,CA,CH,CY,CZ,DE,DK,EE,ES,FI,FR,GB,GI,GR,HK,HR,HU,IE,IS,IT,JE,LI,LT,LU,LV,MC,MT,MY,NL,NO,PL,PT,RO,SE,SG,SI,SK,SM,USRHPDefaultTouchpointProtectHomeViewFirstMileSophiaContentHomeViewCardOrderToggleSophiaWebInfraCardIDBringSignAppsOnTopOfToolsRHPEnableAXRHPTouchpointExperimentAXRHPTouchpointIsEnabledCCXRHPTouchpointAXUnsignedProductVersionAcroAppLaunchedFeaturedClicksToDismissFeaturedAppTimesOpenedMajorVersionMinorVersioncreate_pdf_conversionsexport_pdf_conversionsFirstToolUsageWalkthroughStatusFirstToolUsageWalkthroughAppA12_FirstMileFileOpen.pdf/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/HomeView/AVHomeFirstMileToolsCardView.cppAVHomeFirstMileToolsCardView::RecentFileChangedDelayedProcAppName=ToolDiscoveryCardShowFirstToolUsageWalkthroughDelayedProcFirstMileToolsCardAllToolsButtonFirstMileToolsCardToggleAVFirstMileToolsContainerViewAVFirstMileFileOpenCardAVFirstMileToolCardAVHomeFirstMileToolsCardViewAVRichStaticTextViewAVCreateAppThumbnailWidgetSelectionExportExperiment::SelectTextSelectionExportExperiment::SelectImageSelectionExportExperiment::ClickActionButtonOnBezelSelectionExportExperiment::ClickDoNotShowButtonOnBezelTopCoordinateLeftCoordinateRightCoordinateBottomCoordinate/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/DesktopPersonalization/Sophia/Source/AVSophiaMasterSurface.cppDelayedFetchSurfaceContentHandler[control]toggleRFLViewTypeProcessRecentFilesCmdParamsSignFileOpenedViewFileOpenedGTSessionOpenedReviewFileOpenedDocCloudFileOpenedLocalFileOpenedRFL_SearchInput/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/PrefsSync/source/AVGenPrefSyncMgr.cppCAVGenPrefSyncMgr::GetUserPrefsFromS
    • https://acroipm2.adobe.com/assets/viewer/mv/cl/admin/benableEntAdminUserLastPingTimeEntUserLastPingTime/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/ModernIPMHandler.cppAV2UIExecuteProcNumOfTimesSwitchToAV2BannerClosedSwitchToAV2BannerNotificationSwitchToAV2AlertCrossClickedDocDidOpenHandlerExploreLinkClickedHasUserChangedRHPStickyState[all]MVExperimentPingEventhttps://acroipm2.adobe.com/assets/mvexp/non_en/DisableMVAnnouncementCardFLSwitchToAV2Bannercom.adobe.ARMDCPageViewDidChangeProcPDDocDidChangePagesNotifyProc/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVUriDetector.cppFindUriIdleProcContextMenu::SelectisMenuCreatedMenu
    • http://www.aiim.org/pdfua/ns/id/conformancepdfuaidpartCustomMetadataPropertiesKeyValuehttp://www.aiim.org/pdfa/ns/id/IsMDCEItemMDCE:NameMDCE:PriorityMDCE:DescriptionMDCE:ActiveMDCE:ToolBarAcroView:FlashDMBLearnMoreButtonAlert_FlashPlayer_MacMDCE:IconA12_DMBAlert.pdfCommandStatusAVPDFStandardsHTMLViewPopupsScrollWithPageAV3DVirtAnnot::sPrefDidChangeNotifAV3DMarkup::sAVDocDidSetSelectionNotifAV3DMarkup::sAVDocDidAddToSelectionNotifAV3DMarkup::sPDAnnotDidChangeNotifAnnots:RegisterDriverCBAV3DAnnot::sActivePageViewDidChangeNGLoobeLicMgrStaus/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AMT/AcroLicenseManager.cppGetAcroLicenseModeIndirectDelayProcStartPFProcessingStartHeartBeatAcroNGLProductChangedDelayedProcInstrumentLaunchPings_InstrumentPHThreadHeartbeatThread+00:00application/vnd.kafka.avro.v2+jsonapplication/vnd.kafka.v2+jsonvalue_schema_idDIMevent_sourceevent_identity_typeid_typeauthsrcentity_idproduct_usageaction_typeattrevent_dtsprocessed_dtsingest_dtsrecordshttps://dim-kafka-rest.adobe.io/topics/https://dim-kafka-rest-stage.adobe.io/topics/offsetsSUCCESSFUL
    • https://udps.adobe.com/https://udps.stage.adobe.com/fetch_user_tracking_flagAccess-TokenEnableConsentForRiverColoradoExtractServicePostIMSSignInResolvedStart
    • https://acroipm2.adobe.com/assets/pdfOwnership/mac/rdr/acr//yes/noownershipDialogRespDisableDNSChecklocalhostEnableNetworkLoggerEnableNetworkLogWithTimeStampAcroNetLogger.txtDistillerAlwaysShowTrustDialog%%Privacy_AutomationActionOKActionNotNowCreateMultiplePDFOfficeAppleEventAccessPrivacy_ScreenCaptureCreatePDFFromWindowCaptureScreenAccessDialog~%APPNAME%%FILENAME%Privacy_DocumentsFolderActionhelpFileAccessDialog$$$/Dialogs/DistillerTrust/Title$$$/Dialogs/DistillerTrust/BodyCoolOffProcSchedulerSection_customCoolOff/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVUtil.cppprocPerformanceAppResponsivenessMessageProcessingMaxTimeMessageProcessingAvgTime...Idle_Above_5sIdle_1s_5sIdle_500_1sIdle_100_500Broadcast_Above_5sBroadcast_1s_5sBroadcast_500_1sBroadcast_100_500Listener_Above_5sListener_1s_5sListener_500_1sListener_100_500BGAppResponsivenessFavoritesFeaturesLockDownFavoritesStripInRFLFavoritesLeftRailItemFavoriteFilesSyncFavoriteFilesAccessOptionFavoriteFilesRememberChoiceMicrosoftGraphIsMicrosoftGraphPrefOnMicrosoftGraphFeaturesLockDownFormsPrefsAutoEnableTextEditingShareVariantUSLastShareModeMigrated([a-zA-Z0-9-
    • https://acroipm2.adobe.com/assets/rm/contextualSignIn/experimentvariantshown_signedinwithexperimentvariant_UserProfileExpiredmauinexperimentvariant_ContextualSignInMAULastPingTimesignoutuserswithexperimentvariant_ContextualSignInSignOutUsersLastPingTimeRemoveCollabByOwnermarspdfxmlAVDummyViewPane
    • https://oobe.adobe.com/GenerateProxyRequiredWFentryResourceIdentryQueryStringworkflowIdCodeGenerateWEForLSWFNot
    • http://www.dictionary.com/browse/Wrong
    • http://cv.iptc.org/newscodes/digitalsourcetype/compositeWithTrainedAlgorithmicMediasoftwareAgentAdobe
    • https://cai-stage.adobe.io/signature/box_size/v1https://cai.adobe.io/signature/box_size/v1ResumeReadingAuthorizationx-api-keycai-desktop-helperbox_sizeinvalid
    • https://cai-stage.adobe.io/manifest/sign/v2?box_size=https://cai.adobe.io/manifest/sign/v2?box_size=Content-Typeapplication/octet-streamPOSTwarnModifiedFileCopyThisPageViewKilledsDismissProcsEducateProcAutoDockUndock::sIPMUpdateAutoDockUndockHUDPercentAutoDockUndockHUDPinHUDResizeWindowAutomaticallyRightClickOpenedFromCtxMenutoolComponentTypeDiagnosticsSCA
    • https://oobe.adobe.com/reader_modal?origin=INAPP&offer_type=&plan=edit_pdfexport_pdfInAppTestSetGeoLaunchedMarketingContentInAppReducedModeresidual_app_subscription_upgrade_banner_workflowtools-centersave-menurhp-panelright-click-menutool-barmore-toolsmega-verbshome-view-rhpfirst-milefile-menuedit-menudiscover-panelbezelalltools-megaverbconvert-megaverbedit-megaverbsign-megaverbmore-megaverbsearch-menuedit-mv-lower-bannerconvert-mv-lower-bannerfloating-toolbartop-menubarms-wordos-right-context-menurhp-bottom-bannerms-exceldiscover-panel-bottom-bannerms-powerpointsign-mv-bottom-bannerpage-thumbnailpage-thumbnail-right-clickpage-thumbnail-optionspage-thumbnail-inplace-barwindows-hamburger-menumore-mv-bottom-bannerhome-lhp-bottom-bannerglobal-bar-menuNativeRS_Post_SendNativeRS_InvokeNativeRS_Review_Sendtouchup-right-click-menuHome_Lhp_Trial_Bannerdrag-and-dropalltools-mv-bottom-banneropen-file-menuglobal_barhome-top-right-subscribe-buttonNativeRS_Recents_Multifile_clickNativeRS_multifile_File_DialogEdit_Megaverb_TileEdit_Megaverb_TooltipGenAI_Deep_Link_Workflowright-railcoachmarkedit-megaverb-rcmconvert-megaverb-rcmalltools-megaverb-rcmwhats-newtranscript-file-clickotheraccessibilityindex-pdfpdf-standardspage-displayreader-upgradecompare-filesprint-productionprint-pdfrequest-e-signaturedevelopercreate-custom-toolaction-appsave-astry-acrobatprogentech-assistantgentech-summarycertificatesmeasurestampsharefindpage-navigationsave-to-cloudstar-to-cloudselect-zoomsave-pdfrotate-pagesadd-watermarkdelete-pagesadd-imageadd-textrotate-pages-ccwrotate-pages-cwcopy-fileinsert-pagescreate-review-excelunderline-textremove-batescreate-pdfmaker-wordstrike-outcreate-agreementhighlight-textcreate-pdfmaker-pptadd-batesobject-toolappend-linkcreate-review-wordcreate-shareextract-pagescreate-pdfmaker-excelsave-copyadd-or-edit-linkcopy-textcopy-imagecreate-share-wordcreate-share-pptcreate-share-excelsticky-notecreate-review-pptbbox-bezelbbox-action-bezeladd-header-footerupdate-header-footerremove-header-footerupdate-watermarkremove-watermarktext-
    • http://www.adobe.com/go/cpdfrdr_12_0_0http://www.adobe.com/go/epdfrdr1_12_0_0FromInPlaceEditToolUpsellDialogClosedTOOL_CENTERRIGHT_HAND_PANELHOME_VIEW_CONTEXT_BOARDIN_PLACE_TOOL_PANELQUICK_TOOLSRIGHT_CLICK_MENUFIRST_MILEOTHER_LOCATIONMEGAVERB_BARDISCOVER_PANELMORE_TOOLSSEARCHALLTOOLSVIEWER_ALLTOOLSBEZELSAVE_AS_DIALOGEDIT_MEGAVERBCONVERT_MEGAVERBSIGN_MEGAVERBMORE_MEGAVERBHOME_LHP_TRIAL_BANNERHOME_LHP_BOTTOM_BANNERGLOBAL_BAR_UPGRADE_CTAHOME_TOP_RIGHT_SUBSCRIBEAVUpsellShowMarketingContentDelayedProcFileOpenedFileInfoToolnameAppCtxIdCampaignIdStoreFileToolInfoInAppPurchaseIPC::HandleAppQuitLaunchWelcomeCardPostCefInitializationRedModeUpsellTypeVariantRedModeExpEnabledWebResourceAnnotsRedactEditToolMenuItem_UpsellShownReaderUpsellTwPUpsell[tcatIds][twpVariant][tcatIds][readerUpsellVariant]ExperimentAppliedInAppPurchaseEvents[data][dark][light]DEFAULT[dataType][dimensions][width][dimensions][height]ReviewPDFExport:aic.aicDialogViewNGLUpsellEvaluationCountObject
    • https://api.na1.adobesign.com/api/gateway/searchhttps://api.na4.documentsstage.adobe.com/api/gateway/searchhttps://dc-signauthoring.adobe.io/agreementshttps://dc-signauthoring-stage.adobe.io/agreementsJISUNICODEadobe_licensing_wf.exeadobe_licensing_wf_helper.exeadobe_licensing_wf_acro.exeadobe_licensing_wf_helper_acro.exepuserhintsidp_flowdcngl_ingest_nglu*****AdobeIDNGLU1
    • https://oobe.adobe.com/
    • https://acroipm2.adobe.com/assets/accounttype/mac/reader/acrobat/type2e.ziphttps://acroipm2.adobe.com/assets/t2eauthtype/mactype2e/authtype1authtype3argument
    • https://api2.branch.io/v1/urlkey_live_pbKc1OdmiXCZnwq34n7rIpjfrtphZEln/v1/notificationsUserGuidNotFound2023-06-Send
    • https://notify-stage.adobe.io/anshttps://notify.adobe.io/ansSendToDeviceNotificationSentSuccessfullyEFSNotificationNotSentEFSNotificationSentSuccessfullyCEFNotificationNotSentCEF
    • http://ns.adobe.com/acrobat/theme/2016iconSethoverdisabledColorRGBAppleInterfaceStyleDarkAVTabViewBaseAVTabStripViewDockablesSinglePanelsAutoHidePanelsInternalTabsExternalTabsLogPrefsUsageData
    • http://www.w3.org/2001/XMLSchema-instance
    • https://acroipm2.adobe.com/assets/sca/macsca/purchase/PurchasePointPurchaseWeekSignInShownAlreadySignedIn/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVThicknessFloatingMenuToolbarWidget.cppShowSettingsDialogInIdleLhAVLineThicknessMenuthickness_changeInvalidateOnToolChangeSelectionAVLineThicknessWidgetInstructionsNeedPauseAVCommandApplyRedactionsPrivFileData%s
    • http://ns.adobe.com/AdobeFormsCentralWorkflow/1.0/fcwf:submitURLFormWorkFlowDataWF_CTTShowAnnotConnectorHidePopupIfShowSummaryShowEbookMenuAV2DefaultPreviousAppRedactImageAcro:ReplaceRedactContextMenuExecProcReturn
    • http://ns.adobe.com/pdf/navigator/navigators/ListFilePreview/2007DocumentViewModeNo
    • https://acrobatoauth.adobe.com/?onTimeouterrorMessageFullScreenButtonHandlerOpenFullScreenButtonHandlerCloseHelpFeedbackSubmittedShowOnlineHelpSectionShowHelpTourShowWhatsNewShowWTAOnboardingShowHelpforRequestSignatureIsInAppHelpExperimentEnabledCloseHelpPopoutHelpPopinHelpSwitchToolOnCardClickAfterExperimentCompletedBeforeExperimentCompleted/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVMeasure2D.cppSavePreferencePageUnitScaleUnitPrecisionPageValueScaleValue2DResetMeasurementToolbar2DShowHideMeasurementToolbar2DResetMeasurementWindow2DShowHideMeasurementInfo2DMeasurePrefs2DExportMeasureToExcel2DOnOffSnapToContent2DMeasureShowHideRulers2DMeasureOrthoOnOff2DMeasureEnableMarkup2DMeasureLabel2DMeasureScale2DCancelMeasurement2DCompleteMeasurementANSB_ModDatenSortByANFB_ShouldExportnFilterBysyncAnnotScangetAnnotsCSVdoCaptioncaptionStyle../Plug-ins/TestTools/AcroNGLTools/signOutqe-ngl-tool--PROD--clean--save--user--password--APPIDappPathAcroAMT::IsValidatedAcroAMT::GetLicensingDataAcroAMT::GetPreOPLLicensingDataAcroAMT::ValidateAndActivateSerialAcroAMT::GetSignInMenuLabelAcroAMT::GetTrialRHPGoURLsAcroAMT::GetTrialRHPStringsAcroAMT::GetUpsellStringsAcroAMT::ProvisionOnDemandAcroAMT::ShowPlugPlugUIAcroAMT::AutoDetectUpgradeAcroAMT::CheckForUpdatesAcroAMT::IsARMBusyAcroOOBE::ProvisionAdobeIdAcroOOBE::LoadOnlineTrialAcroOOBE::IsActiveLicensePresentAcroNGL::NGLUserSignOutAcroNGL::NGLUserSignInAcroNGL::NGLUserUpdateProfileAcroNGL::NGLCurrentUserAdobeIDAcroNGL::AppModeisValidatedvalidationResultsignInLabelbuyNowURLlearnMoreURLNGLUserSignOutStatususer_nameuser_passwdNGLCurrentUserAdobeIDAppModeMinis3DPageViewWillDestroyA12_3DSnapEndpoints.pdfA12_3DSnapLine.pdfA12_3DSnapCircles.pdfA12_3DSnapSils.pdfA12_3DSnapFaces.pdfA12_3DPointPoint.pdfA12_3DPerpDim.pdfA12_3DRadialDim.pdfA12_3DAngleDim.pdfC_Delta_Triangle_8x8_N.pngShowCoords3D3DShowHideMeasurementToolbar3DShowHideMeasurementInfoMeasureDisplayAs3DCancelMeasurement3DMeasurePrefs3DMeasurementNavigationTips3DSnapToContent3DMeasureEnableMarkup3DMeasureLabel3DMeasureDisableCoordina
    • https://dc-api.adobe.io/schemas/discovery_v1.json
    • https://dc-api.adobe.io/discoveryCheckForPDFServicesByDefault[resources][users][get_user][http_method][resources][users][get_user][resource_parameter][default]?fields=identity,subscriptions,limits/acrobat,limits/esign,limits/send,limits/fillsign,limits/conversions,storage/document_cloud,request_provisioning?appIds=[resources][users][get_user][accept][user_v1.json][resources][connector][[http_method
    • https://acroipm2.adobe.com/assets/PingURLIPMUpsellExpPingFeatTcatParamEntitlementStatusFTEDialog/ACROBAT_SIGNEDOUT_PING/REDUCDEDMODE_SIGNEDOUT_PINGIsUpsellCTAonClosedLHPExpEnabledRotateUpsellModalsExpEnabledIfFeatRunningNewMegaverbRCMExpEnabledIfFeatRunningresourceAlreadyExistsresourceNotFoundrelativeURLoriginalURLoverwritenavigator/NglIngestEventNglIngestNetworkEventNglIngestWorkflowEventNglIngestProfileEventNglIngestStorageEventNgl
    • http://ns.adobe.com/pdf/navigator/navigators/http://ns.adobe.com/pdf/navigator/navigators/AdobeClickThroughhttp://ns.adobe.com/pdf/navigator/navigators/TileSuppressInvalidNavsDialog?????PNGNAVAX_Port_BasicGrid_Md_N.pngpreviousCardnextCarddeleteFiledeleteFolderextractFileextractFoldereditFileeditFileTooltipprintFileshowInfocloseInfobackFoldercloseFoldershowMiniNavcloseMiniNavclosePreviewpageUppageDownmediaPlaymediaPausemediaAdjustVolumeribbonOpenhttp://ns.adobe.com/pdf/navigator/navigators/Detailshttp://ns.adobe.com/pdf/navigator/navigatorshasUnreadShowUnreadNotificationBezelShouldEverShowUnreadNotificationBezelA_CloseTimedMessage_Sm_N.pngacrobat:Inbox?show/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVWorkflowUnreadNotification.cppHideLaterIdleProcA_UnreadNotification_30x30_N.pngprotectmodal/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVProtectCefModal.cppFileProtectedProtectSimplifyExperienceNew
    • https://platform-cs-stage.adobe.io/indexhttps://platform-cs.adobe.io/index/Users/soluser/cbtprod/Acrobat/Viewer/AcroView/Source/AVAXMerchandizing.cppDoCheckIfUserIsACPProvisionedDelayedProcchildren_embeddedhttp://ns.adobe.com/adobecloud/rel/metadata/repositoryrepo:assetClassstorage:directoryTypedirectoryassigned_linkshttp://ns.adobe.com/adobecloud/rel/createrepo:maxSingleTransferSizehrefhttp://ns.adobe.com/adobecloud/rel/block/initSCUploadCreate_Uploadmultipart/form-data
    • http://ns.adobe.com/adobecloud/rel/primary
    • http://ns.adobe.com/adobecloud/rel/block/transferhttp://ns.adobe.com/adobecloud/rel/block/finalizeDoMonitorDelayedProc_UPFAIL_TM_UP_ERRrespondWith=http%3A%2F%2Fns.adobe.com%2Fadobecloud%2Frel%2Fmetadata%2Frepository&path=temp%2Ftemp&intermediates=true---------ADCFileStoreADCFileStore---------Content-Disposition
    +90 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
polyglot_child_pdf_off0001bfe1.pdf
7c22718826d0eb17e86c375df8d4bed18b5b18e41b7efaf9955602e4348c0644		 polyglot-child-pdf Secondary PDF body inside rtf container at offset 0x1BFE1 1774625 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 436 long base64-like blob(s). Carved artifact contains 2 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.